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This document constitutes the final report of the Demonstration ACT System Definition 
of the Integrated Application of Active Controls (lAAC) Technology to an Advanced 
Subsonic Transport Project. The report covers work performed from November 1980 
through June 1981 under Contract NASl-15325. 

The NASA Technical Monitor for this task was D. B. Middleton of the Energy Efficient 
Transport Project Office at Langley Research Center. 

The work was accomplished within the Preliminary Design Department of the Vice 
President-Engineering organization of the Boeing Commercial Airplane Company. Key 
contractor personnel who contributed were: 
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C. B. Crumb, Jr. 
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K.A.B. Macdonald 
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A. P. Sassi 
R. J. Dorwart 


Program Manager 

lAAC Project Manager 

Task Manager— Demonstration ACT System 
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Product Assurance 
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Flight Controls Design 

Product Assurance 


During this study, principal measurements and calculations were made in customary units 
and were converted to Standard International units for this document. 

Use of trade names or names of manufacturers in this report does not constitute an 
official endorsement of such products or manufacturers, either expressed or implied, by 
the National Aeronautics and Space Administration. 
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1.0 SUMMARY 


This document reports the results of a brief task of the Integrated Application of Active 
Controls (lAAC) Technology to an Advanced Subsonic Transport Project, a part of the 
NASA Energy Efficient Transport (EET) Program. This task is a follow-on to the lAAC 
Current and Advanced Technology Control System Definition Study, and the output of this 
task is the foundation for an ensuing Test Active Controls Technology (ACT) System to be 
built for feasibility testing in laboratory and flight. The work yielded: 

• Definition of an ACT airplane to the extent required for control system definition 

• Definition of a complete ACT system configuration appropriate to a new ACT airplane 
design, as opposed to a system devised for technology demonstration on an existing 
airplane 

Both of these items include projected 1985 technology advances. From this basis, the 
Test ACT System is being defined for flight in an existing test airplane. The latter 
system will include those functions that are deemed critical to demonstration of the 
feasibility of a commercial ACT transport airplane. 

The ACT airplane is derived from prior lAAC airplane studies. It resembles the Final 
ACT Airplane but incorporates fly-by-wire (FBW) control in all three primary control 
axes. A number of other innovative features proposed in the study period were reviewed 
and rejected. 

Definition of the ACT system was strongly influenced by certain key features, especially 
the requirement for short-period pitch augmentation reliability. Including that function 
enabled removing the requirement of airframe inherent longitudinal stability. The 
airplane could then be (1) rebalanced with the cruise center of gravity (eg) moved aft 10% 
for reduced trim drag and (2) equipped with a smaller horizontal tail with attendant 
savings in both drag and weight. Those changes yielded about a 6% reduction in block fuel 
at design range. The reliability requirement for short-period pitch augmentation and FBW 
led to the selection of quadruple analog computers to back up the four digital computers 
used for normal operation of all functions. The analog backup provides basic FBW control 
and short-period pitch augmentation. The sensors needed to implement this system are 



conventional, as are the actuators except those for the flaperons. Flaperons are control 
surfaces that are part of the wing trailing-edge flap system, which has extensive motion 
with respect to primary wing structure. This necessitates special power transmission 
provisions and special design for protection of the redundant hydraulic power circuits. 

The key issue of reliability of the system discussed in the prior paragraph was addressed 
with an estimate of the reliability of crucial functions. Based upon conservative failure 
rate assumptions, the system will meet the Federal Aviation Administration (FAA) 
criterion of "extremely improbable" for failure of functions essential to flight. 

Redundancy management problems multiply in such a quadruple-quadruple computer 
scheme; one of these, the transfer of control responsibility from one computer set to the 
other, was not resolved during work on this task. Because that system configuration with 
the backup computer set is essential to meeting the crucial function reliability 
requirement, the control transfer problem is the subject of continuing research. 



2.0 INTRODUCTION 


The Integrated Application of Active Controls Technology to an Advanced Subsonic 
Transport Project has three major objectives. The first objective is the credible 
assessment of the benefit to a commercial jet transport airplane of full application of 
active controls designed into the airplane from the. beginning of the airplane program. 
The second objective is identification of the risks associated with the use of Active 
Controls Technology. The third objective is reduction of these risks to a level 
commensurate with commercial practice, through test and evaluation, to the degree 
possible within funding limitations. 

This project has been organized into three major elements as shown at the top of Figure 1. 
The first major element included establishment of the design criteria appropriate for an 
ACT airplane; design of an ACT airplane configuration to meet the selected criteria; 
design of an ACT control system based upon current technology; and selection and 
evaluation of a Final ACT Configuration. In parallel with these tasks, the Advanced 
Technology ACT Control System element shown in Figure 2 included exploration of 
optimal control synthesis methods and alternative means of implementing the ACT 
functions using advanced technology. The work covered by this report was the last 
activity of this element of the lAAC Project, and the Demonstration ACT System so 
designed provided a foundation for the third and final element of the project. 

The final major element of the lAAC Project addresses reduction of risk, through test and 
evaluation, associated with implementation of ACT on a commercial transport. Figure 3 
shows this final element. Reference 1 contains a more detailed discussion of the lAAC 
Project Plan. 

As shown in Figure 3, the Test and Evaluation element is composed of four primary parts, 
of which the largest is ACT system hardware and software acquisition and test. This part 
comprises laboratory and flight test of an ACT system called the Test ACT System. The 
Test ACT System is derived from the Demonstration ACT System. 
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A meaningful ACT system definition requires the definition or assumption of the ACT 
airplane, of which the system is an integral part. Therefore, this task began with the ACT 
Airplane Definition as shown in Figures 2 and k. This was accomplished as a projection ^ 

based upon the airplane configurations produced in earlier lAAC tasks. These airplane 
definition tasks are shown in Figure 1 and are reported in References 2, 3, 4, 5, 6, and 7. 

The resulting airplane, reported in Section 4.0, retained those ACT functions that had 

been shown to be beneficial and added full FBW primary flight control. C 
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Figure 3. Test and Evaluation Element 


Candidate system architectures, selection criteria, and rationale for the system chosen 
are discussed in Section 5.0. Section 5.0 also includes brief descriptions of the system 
components, its redundancy management, and its reliability. 
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Figure 4. A CT Tasks 4.2. 7 and 4.2. A Task Flow 


3 


3 


3 


3 


7 


3 










r n n 


n 











1 


3 


3 


'3 


D 


D 


3 


3 


3 


3 


3.0 SYMBOLS AND ABBREVIATIONS 
3.1 GENERAL ABBREVIATIONS 


ac 

alternating current 

A 

ampere 

AAL 

angle-of-attack limiter 

ACT 

Active Controls Technology 

A/D 

analog-to-digital converter 

AFCS 

automatic flight control system 

Ah 

ampere-hour 

APB 

auxiliary power breaker 

APU 

auxiliary power unit 

AR 

aspect ratio 

ARINC 

Aeronautical Radio Incorporated 

BITE 

built-in test equipment 

BTB 

bus tie breaker 

eg 

center of gravity 

C 

Celsius 

CPU 

central processing unit 

CSEU 

control system electronic unit 

CY 

calendar year 

dc 

direct current 

DADC 

digital air data computer 

DRO 

design requirements and objectives 

EET 

Energy Efficient Transport (Program) 

EPC 

external power contactor 
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fig- 

FAA 

FBW 

FMC 

FTMP 

g 

gen 

GCB 

GLA 

Hz 

lAAC 

I/O 

IRS 

kn 

kPa 

Ibf 

LAS 

LRU 

LVDT 

MLC 

N 

N*m 

PAS 

PCU 

Pi 

P2 


figure 

Federal Aviation Administration 
fly by wire 
flutter-mode control 
fault-tolerant multiple processor 
acceleration due to gravity 
generator 

generator circuit breaker 
gust-load alleviation 
hertz 

Integrated Application of Active Controls Technology to an Advanced 
Subsonic Transport Project 

input/output 

inertial reference system 
knot 

kilopascal 

pound-force 

lateral/directional-augmented stability 

line replaceable unit 

linear variable differential transformer 

maneuver-load control 

newton 

newton meter 

pitch-augmented stability 

power control unit 

hydraulic supply pressure, hydraulic system 1 
hydraulic supply pressure, hydraulic system 2 
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q 

dynamic pressure 

3 

Q 

pitch rate 

ref 

reference 


Ri 

hydraulic return pressure, system 1 


R2 

hydraulic return pressure, system 2 

3 

sec 

second (same as s) 


SIFT 

software-implemented fault tolerance 


T-R 

transformer-rectifier 

3 

V 

volt 


VA 

volt-ampere 


VYRO 

angular rate sensor (trade name) 

3 

WLA 

wing-load alleviation 

3.2 SYMBOLS 
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q. 

centerline 


A 

change in quantity 


\ 

failure rate 
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If.o ACT AIRPLANE DEFINITION 


In this work, the lAAC technical team identified those features of the airplane that are 
essential to control system definition. The airplane is based upon prior ACT airplane 
configuration studies and is specified only to the detail required for control system 
definition purposes. 


APPROACH 

The first ACT airplane configuration produced in the lAAC Project is the Initial ACT 
Airplane, documented in References 5 and 6. Its ACT control system provided all ACT 
functions found to be beneficial and enabled 10% aft rebalancing, a 45% reduction in 
horizontal tail area, and a lighter wing structure. These changes yielded a 6% reduction 
in block fuel requirement at design range referred to the Baseline Airplane (ref 4). 

The Initial ACT design was constrained to use of the Baseline wing planform. It was 
expected that further efficiency gain beyond that of Initial ACT could be realized by 
development of a new wing design taking benefit of active control functions. 

That expectation was borne out by the Wing Planform Study and Final Configuration 
Selection (refs 2 and 3). The Final ACT Configuration, Model 768-107, using an aspect 
ratio (AR) 12 wing of extended span, referred to the AR 10 Baseline wing, yielded 10% 
reduction in block fuel. Both Initial and Final ACT Airplanes were designed for cruise eg 
10% aft of the Baseline range, and horizontal tail area 45% less than that of the Baseline; 
both of those changes were made possible by use of two active control functions: crucial 
pitch-augmented stability and angle-of-attack limiting. This 10% more fuel-efficient 
Final ACT Airplane was the basis for the airplane definition work of this task. 

Starting from that point, definition of the ACT airplane configuration resulted from the 
collective engineering judgment and analysis of a multidiscipline technical group in a 
series of review meetings, with special studies providing a foundation for some of the 
less-easily-made decisions. 



4.2 ACT AIRPLANE 


4.2.1 CONFIGURATION 

Figure 5 is a two-view drawing of the ACT airplane, designated Model 768-109. It is 
derived from Model 768-107, the Final ACT Airplane defined in the Wing Planform Study 
and Final Configuration Selection (refs 2 and 3); thus it includes the high-aspect-ratio 
wing, smaller horizontal tail, and aft eg range. The control surfaces used by the active 
control functions are: 

• Two single-segment, double-hinged elevators, each powered by three side-by-side 
primary hydraulic actuators 

• Two double-hinged rudders, each driven by two primary actuators 

• Conventional outboard ailerons with two primary actuators each 

• Inboard and outboard flaperons, which are control surfaces carried by wing trailing- 
edge flaps 

• The movable horizontal stabilizer 

Because the ACT airplane has fly-by-wire control in all axes, the inboard ailerons and the 
flight spoilers are also controlled by the ACT system although they are not used for active 
control functions. 

4.2.2 ACT FUNCTIONS 

After carefully considering the costs and benefits of all of the ACT functions studied in 
prior lAAC tasks, pitch-augmented stability (PAS); angle-of-attack limiting (AAL); 
lateral/directional-augmented stability (LAS); and wing-load alleviation (WLA), composed 
of maneuver-load control (MLC) and gust-load alleviation (GLA), were retained. Table 1 
lists these functions and their reliability requirements. 









Table 1. ACT Functions and Reliability 


ACT function 

Criticality^ 

Reliability requirement (probability 
of failure during a 1-hr flight) 

Pitch-augmented stability, short-period 

Crucial 

10"® 

Pitch-augmented stability, speed (PASgp^^g) 

Critical 

10'® 

Angle-of-attack limiter (AAL) 

Critical 

cb 
10 ° 

Lateral/directional-augmented stability (LAS) 

Critical 

10'® 

Gust-load alleviation (GLA) 

Critical 

10"® 

. Maneuver-load control (M LC) 

Critical 

. 10“® 


a"Crucial": function loss results in loss of aircraft. 

"Critical": function loss presents threat of aircraft loss that can be averted by immediate and appropriate crew action. 
^10”® for inadvertent operation. 


Flutter-mode control (FMC) had been found to be beneficial to the Initial ACT Airplane, 
in which it suppressed a 3-Hz inboard wing and nacelle mode for which structural 
correction would have entailed a large weight penalty. Analysis, of the Final ACT high- 
aspect-ratio wing showed the 3-Hz inboard mode to be absent, but disclosed a 7-Hz 
outboard wing flutter mode that could be eliminated by addition of a small amount of 
structural material or by a relatively heavy and expensive flutter-mode control system. 
Therefore, FMC was omitted from this ACT airplane and the outboard aileron retained its 
normal single-panel form. 

4.2.3 FLY-BY-WIRE SYSTEMS 

A major change from prior ACT airplane configurations is the inclusion of FBW primary 
controls in all axes. The retention of a crucial pitch augmentation system makes the 
airplane's pitch stability, and hence flight safety, dependent upon an electronic flight 
control. Pitch FBW control could be incorporated into that electronic system with no loss 
of safety and with attendant weight reduction of 156 kg (345 lb) and purchase cost 
reduction of about $90 000. This comparison made pitch FBW clearly advantageous. 

Like the Baseline Airplane, the ACT airplane has FBW actuators driving the flight 
spoilers, which operate differentially to provide part of the roll control. Thus the roll axis 
is partly FBW at the start. With WLA requiring full-authority electronic control of the 
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ailerons, extending that system to include pilot and autopilot signals to the ailerons yields 
weight reduction and first cost reduction similar to that quoted previously for the pitch 
axis. 

The argument for FBW in the yaw axis is less clear cut, because the LAS augmentation 
requires only limited-authority FBW secondary actuators. On the other hand, automatic 
landing and rollout guidance in cross-wind conditions need large automatic rudder 
deflections; and again significant weight and first cost reductions, similar to those 
estimated for the pitch axis, are realized by deletion of the mechanical coupling between 
rudder pedals and rudder servoactuators. 

POWER SYSTEMS 


The ACT airplane electric power system is the same as that of the Selected System (refs 
8 and 9). It is the Baseline electric power system with changes as shown in Figures 6 



Figure 6. ACT Airplane Electric Power System 
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and 7. To provide adequate backup dc for a 30-min flight after loss of both engine-driven 
ac generators, it was necessary to add one 40-Ah battery and the associated battery 
charger. It was also necessary to increase the ratings of two transformer-rectifiers and 
to add, for the individual ACT channel power supplies shown in Figure 7, four 
transformers and four 150-VA static inverters. 

The hydraulic power supply and load comparison indicated that the Baseline hydraulic 
supplies would be adequate for the airplane with the ACT system additions; no change was 
made to the hydraulic power supply. 
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Figure 7. Detail of ACT Channel Power Supply (Typical) 
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5.0 DEMONSTRATION ACT SYSTEM ARCHITECTURE 


This section describes the system configuration and component selection appropriate to a 
full-capability ACT system for the 1985 ACT airplane. 


5.1 KEY SYSTEM FEATURES 


The primary source of fuel saving in the ACT airplane is incorporation of full-time, full- 
authority PAS, which allows an aft-balanced airframe and leads to the sharply reduced 
trim drag and the smaller horizontal tail discussed in Subsection 4.1. This makes pitch 
augmentation essential to safe flight, and it becomes a crucial function (see table 1). 
Figure 8, reproduced from an FA A advisory circular (ref 10), relates different 
consequences of failures in passenger aircraft to acceptable probability of such failures. 



Figure 8. Relationship Between the Consequence of Failure and the Probability of Occurrence 



c 


The width of the shaded band represents the band of uncertainty, and the line in the 
center of the band represents the nominal values. As shown there, loss of a function such 
as crucial pitch augmentation that can lead to loss of life must be "extremely 
improbable," which is interpreted as requiring a probability of occurrence of less than 
10“9 during a 1-hr flight. That very high reliability is the feature of greatest importance 
in determination of system architecture. 

The incorporation of FBW controls raises a new and important problem of the feel system 
form and function. The Baseline Airplane pitch axis feel provision is a redundant, 
q-scheduled hydromechanical computer mechanism, installed at a point remote from the 
cockpit to simplify inclusion of stabilizer position feedback in this entirely nonelectronic 
mechanism. The feel force is communicated to the cockpit by the mechanical control 
linkage; this path would be absent in the FBW pitch axis and hence the feel system must 
take a distinctly different form. 

Prior lAAC control system studies (refs 8 and 9) had indicated that the extreme reliability 
required of the crucial pitch control function necessitated two sets of redundant control 
computers, called the ACT Primary System and the Essential System; hence all of the 
candidate systems discussed in the following section have that form. 

5.2 SYSTEM ARCHITECTURE 
5.2.1 CANDIDATE SYSTEMS AND ARGUMENTS 

The process of determining the Demonstration ACT System architecture consisted of the 
iterative application of collective engineering judgment. In between those iterations, 
special studies were conducted to provide data on key questions raised previously. 


Certain important and frequently introduced issues tended to drive the decision process. 
One of these was the so-called generic software error; i.e., the existence of an error 
common to sets of identical software that may be encountered simultaneously by all 
digital control computer channels and thus be unrecognized in cross-channel comparison. 
Because of this possibility, it was concluded that pitch axis control could not be entrusted 
solely to a set of redundant digital computers with common software. When analog 
computers were substituted in these crucial functions, the question of test and monitor in 


C 



analog systems arose. While these crucial analog computers can themselves be simple and 
low in parts count, the addition of either inline or cross-channel monitoring of such 
computers, if done in analog circuitry, tends to multiply the parts count severely. 

Another important question arose from the belief that the extreme reliability necessary in 
crucial functions required a backup system for the ACT Primary Computers; all of the 
■) candidate systems considered have redundant backup computers called "Essential." Given 

that scheme, the question of how to switch from the Primary to the Essential Computers 
becomes a difficult one. 


3 Figures 9, 10, and 11 show candidate system architectures that were considered. They are 

represented in those figures in terms of how they handled the crucial elevator control 



• Both computer sets adaptable to cross • Both computer sets subject to undetected 

comparison, self-test, and self-monitor common software error 

via software 


J • Both computer sets allow easy mathematical 

model as servo comparison reference 

• High-reliability Essential Computers provide 
transfer switching capability in software 

• Ready match to test airplane 

^ Figure 9. Candidate Selected System 
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• Simplest redundancy management In crucial 
function; no output switching, no cross-chahnel 
vote 

• Eliminates secondary servos for elevators 

• ACT Primary Computer outputs can be limited 
authority 


• Requires four elevators— heavier and more 
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two elevators) 

• No means of detecting failed elevator channels; 
hence not truly twice fail-operative 


Figure 10. Candidate Pure Brick-Wall System (Limited Authority, Primary) 
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functions. The first candidate system illustrated in Figure 9 represents the Selected 

System (refs 8 and 9) as it is configured for control of the elevators. ("Selected System" C 

is the name applied to the final configuration chosen in the earlier Configuration/AGT 

System Design and Evaluation contract element.) The digital computer's adaptability to 

cross-channel comparison, self-test, self-monitor, and generation of a mathematical 

model of a servoactuator for use as an output comparison reference are among the C 

favorable arguments listed there. The fourth Essential Computer shown in Figure 9 

provides an independent servoactuator model, enabling continued monitored operation 

after two actuator failures. Still both sets of computers are subject to the generic 

software error; that single negative feature is an unsolved problem and is the "fatal flaw" C 

that ruled out that candidate. 
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Figure 10 is a candidate system designed to preserve the flexibility and capacity 
advantages of the digital computer in the ACT Primary System while positively guarding 
against the generic software error failure mode. There the Essential Computers are 
analog and redundant in the "brick-wall" configuration, in which no cross-channel 
communication is allowed. The "no cross channel" concept is carried out to the ultimate 
degree by use of four separate elevators having no interconnection. The digital ACT 
Primary Computer output is limited and added to the full-time Essential System elevator 
commands, such that a generic software error in the ACT Primary System cannot call for 
hardover deflection of the elevators. This system is unacceptable because of the last 
listed "con" item. The reliability requirement of the crucial functions cannot be met by a 
system that is only once fail-operative. 
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• Ready match to test airplane 
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ative unless switchable as above and by 
redundant switching means 


Figure 1 1. Candidate Proposed Demonstration ACT System 
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Figure 11 is a system form that uses the Selected System force-summed elevator 
secondary actuators, but with the servocommands selected by separate monitor logic from 
either the digital ACT Primary Computers or the analog Essential Computers. The 
monitor switching logic must be redundant to avoid the single-point failure liability. 
Arguments against this system were reduced by; 

• Addition of a fourth secondary actuator to use the fourth computing channel while 
preserving brick-wall redundancy in all of the Essential System electronics 

• Addition of a fourth digital ACT Primary Computer to enable dispatch with one ACT 
Primary Computer down while still meeting the reliability requirements shown in 
Table 1 


• Addition of four-channel switching logic with a "redline monitor" as protection 
against the generic error in the ACT Primary System 

With these changes, this last candidate became the Demonstration ACT System 
architecture, described in the following text and figures. Figure 12 shows the Figure 11 
candidate with the changes cited, and Figure 13 relates the Demonstration ACT System 
architecture to the three ACT systems studied in the prior current technology system 
phase. 

5.2.2 SYSTEM DESCRIPTION 


5.2.2. 1 Basic Configuration 

The Demonstration ACT System is shown in Figure 1^ in general arrangement form, 
emphasizing the interrelationship of major groups of system components. Figure 15 is a 
representation of the Demonstration ACT System with redundancy of the line replaceable 
units (LRU) indicated. 

The sensors that the system requires are little changed from those of the Selected System 
(refs 8 and 9). It is necessary to add redundant sensing to the cockpit controls to enable 
including FBW in all three axes. In other respects the sensor set is essentially that of the 
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Figure 12. Modified Proposed Demonstration ACT System 
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Selected System. For reasons of precision, stability, and resolution, linear variable 
differential transformers (LVDT) were chosen as the sensors for manual cockpit controls. 

Computing in the Demonstration ACT System (fig. 16) is performed in two separate 
redundant computer sets, the ACT Primary Computers and the Essential Computers, as in 


Current 

Tech- 

nology 

System 


Demon- 

stration 

ACT 

System 

study 


System type and 
architecture 


Advantages 

Disadvantages 

• Simplest 

• Common mode 

• Lightest 

software failures 

• Cheapest 

• Not possible to 

• Best return on 

provide adequate 

investment 

failure coverage 

• Independent compu- 

• Common sensors 

tationfor each function 

(DADC and IRS) 

• Lower probability of 

compromised 

multiple-function loss 

independence 

• 22 computers 
make this most 
complex, heaviest, 
and most expensive 

• Common mode 
software failure 
compromised 
essential functions 

• Simplified essential 

• Common mode 

software and 

software failure 

hardware 

in essential 
functions 

• Four brick-walled 

• Analog circuits 

analog channels 
eliminate common 
mode failures in 
essential functions 

• Coverage not a 
driver of reliability 

• Analog computation 
simpler and more 
reliable than digital 

tend to drift 


Integrated 
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controlled by 
four central 
digital computers 


Segregated 

Each function 
controlled by 
its own triple 
or quadruple 
digital computers 
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Three central 
digital computers 
control all critical 
functions; four 
simple digital com- 
puters control 
crucial function 
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Figure 13. Design History Leading to Definition of Demonstration ACT Architecture 


26 


C 





Figure 14. Demonstration ACT System With Fiy by Wire— General Arrangement 


the Selected System. Both sets of computers are different from the form shown under the 
Selected System definition. The ACT Primary Computers of the Demonstration ACT 
System are again digital computers having a common set of software, but there are now 
four to allow the Demonstration ACT System to be dispatched with any one LRU failed. 
The quadruple Essential Computers, which must perform all control functions essential to 
flight if the ACT Primary Computer set fails, are now analog instead of digital. The 
analog Essential Computers were chosen with the presumption that if they are extremely 
simple they will have greater reliability than a simple digital computer set with common 
software. The redline monitor is implemented in the Essential Computer set. 


Actuation in the Demonstration ACT System is similar to that of the Selected System 
except that a fourth elevator secondary actuator is added. To achieve maximum 
simplicity in the analog Essential Computers, they are of the brick-wall configuration, as 
shown in Figure 16, down to the output monitor level. Cross-channel comparison occurs 
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Figure 15. Demonstration ACT System Diagram 
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at the servo output in the form of force voting using detents or shear-outs to isolate 
failed channels and at the servomonitor operating on spool position feedback. With this 
configuration, it was necessary to add the fourth secondary servo to make best use of the 
fourth signal channel in both sets of control computers. 
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Figure 16. Demonstration ACT Control Computers and Elevator Servos 
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5.1.2.2 Detailed Description 


Figures 17, 18, and 19 show the arrangement of the Demonstration ACT System LRUs and 
the sensors and the servos for the three control axes of the airplane, accounting for both 
the active controls and the FBW requirements. These semipictorial diagrams show the 
redundancy level associated with each of the individual LRUs. Table 2 lists the 
aerodynamic control surfaces used by this system. It associates those surfaces with the 
functions that they serve and shows the number of units involved in each of the axes and 
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sensors 


Figure 17. Demonstration ACT System Pitch Axis 
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Figure 18. Demonstration ACT System Yaw Axis 
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Figure 19. Demonstration ACT System Roil Axis (Showing Right Wing Controls Only) 
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Table 2. Aerodynamic Control Surfaces 


Surface 

Use 

Number 

of 

surfaces 

Number 
of power 
actuators 

Number of 

secondary 

actuators 

Command 

computers 

Remarks 

Elevators 

Pitch, manual^ 

PASshoRT 

PASspeeq 

WLA (pitch moment 

compensation) 

AAL (via column 
pusher) 

2 

6 

4 

ACT Primary 
and Essential 

Double hinged 

Rudders 

Yaw, manual^ 
LAS 

2 

4 

2 

ACT Primary 
and Essential 

Double hinged 

Ailerons, 

outboard 

Roll, manual^ 
(low speed) 
WLA*^ 

2 

4 

4 

ACT Primary 
and Essential 

Manual below aileron lockout 
speed; active above 
aileron lockout speed 

Ailerons, 

inboard 

Roll, manual^ 
(high speed) 

2 

4 

- 

ACT Primary 

Above aileron lockout 
speed 

Spoilers 

Roll, manual^ 
Speed brakes 
Ground lift 
spoiling 

14 

14 


CSEU 

No ACT application 

Flaperons 

WLA*^ 

4 

8 

- 

ACT Primary 

Used flaps-up only 

Stabilizer 

Pitch trim 
PASgpEED 

1 

2 

— 

CSEU 

Offloads elevator in 
PASgpEED 


^"Manual" (primary) control surfaces are also used in autopilot modes. 
^WLA = maneuver-load control -(-gust-load alleviation. 


functions. Each of the double-hinged elevators and rudders operates as a single unit. The 
rudder ratio changer, not shown in these diagrams, operates exactly as in the non- ACT 
Boeing airplanes. 


The flaperons are unconventional wing trailing-edge control surfaces carried by trailing- 
edge flaps. They are effective in wing-load alleviation, both for maneuver-load control 
and gust-load alleviation, and are active only in flaps-up, high-speed flight. Their 
actuation requires special provisions, which are described in Subsection 5.3.3. 


5.2.3 OPERATION 


The active control functions implemented in this system are PAS, both short period and 
speed; LAS; WLA, composed of MLC and GLA; and AAL. All of these functions are the 




r 


same as their counterparts in the Selected System. Table 1 shows the required reliability 
of these functions. 

In normal operation, the digital ACT Primary Computers perform all ACT computing for 
the complete set of functions as described previously. The computers also provide the 
coupling and filtering of the manual control signals from the pilot's controls to the 
servoamplifiers that drive the secondary actuators for primary flight controls. The 
autopilot couples to the flight controls by way of the digital ACT Primary Computers, 
where switching between manual and autopilot flight control is accomplished in software. 
The ACT Primary Computers are fully self-monitored and cross-channel monitored, 
including sensor signal selection and failure detection and servomonitors. The ACT 
Primary Computers also monitor the Essential Computers and provide failure information 
to the crew; they do not have the authority to shut down the Essential System. The ACT 
Primary Computers monitor themselves and are able to switch themselves out of the 
control loop, calling for takeover by the Essential Computers. 

If the ACT Primary Computer set is lost, the analog Essential Computers provide the four 
essential functions: short-period pitch augmentation and the three pilot flight control 
commands to the three primary axes. The means of switching between the digital ACT 
Primary Computers and the analog Essential Computers is provided in the form of 
separate redundant discrete logic units each driving a single switchover channel (fig. 16). 
The logic will perform the switchover function in response to either of two conditions: 

• Voting on the failure status signals from the digital ACT Primary Computers, which 
determines that the ACT Primary Computer set has failed. 

• A redundant redline monitor function in which the logic determines that improper 
commands are being calculated for the servoactuators based upon a reasonableness 
comparison of the current flight condition and the servocommands. This function is a 
concept only; no practical implementation suited to this application has been 
developed. 

The redline monitor idea has been proposed a number of times in the past for applications 
such as the ACT system switchover to backup computing. In Boeing history such a 
monitor has never been implemented. For the Demonstration ACT application, it would 

34 


C 


( 


C 


C 


C 


C 


C 


c 


c 


(. 



■:) 


3 


have to be part of the analog Essential System, adding significant complexity to those 
computers and probably affecting the system architecture shown in this report. 

5.3 COMPONENTS 
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5.3.1 COMPUTERS 

The Demonstration ACT System illustrated in Figure 15 uses a quadruple set of digital 
computers to provide active control and manual control functions. A quadruple set of 
analog computers is provided as a backup for crucial functions. 

The ACT Primary Computers to be used in the Demonstration ACT System are similar to 
the Selected System ACT Primary Computers described in References 8 and 9. These are 
general-purpose digital machines with autonomous input/output (I/O). Figure 20 shows a 
block diagram of the computer. The major differences between the Demonstration ACT 
System and Selected System computers are in the output section. Table 3 summarizes I/O 
for the Demonstration ACT System. The Demonstration ACT System digital ACT 
Primary Computers command servos for crucial functions only through the Essential 
Computers. Servodrives for these functions are contained in the analog Essential 
electronics. The Essential servodrives may be commanded by either the digital or the 
analog computers. In the Integrated and Segregated Systems, the servo was shut down 
when a computer output failed. If this procedure were followed in the Demonstration 
ACT System, a computer failure would result in loss of a servo, and two servos will 
typically be shut down before the backup computers were switched in. This was avoided 
in the Selected System by voting the ACT Primary Computer elevator commands in the 
Essential PAS Computers. This was easily done with the digital backup, but putting a 
voter in the analog electronics adds unnecessarily to the complexity of the Essential 
System. Therefore, a dedicated voter microprocessor has been added to the ACT Primary 
Computer to provide the voting function that is independent of the ACT Primary 
Computer computer processing unit (CPU). A single-chip microcomputer using only "on- 
chip" memory should be sufficient for the task. This voter can also provide additional 
monitoring of the ACT Primary Computer outputs. 


Each computer has internal monitors to check the operation of the computer, as described 
j in References 8 and 9. Of particular interest are those hardware monitors that operate 
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Figure 20. Demonstration ACT System— ACT Primary Computer Block Diagram 
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Table 3. ACT Primary Computer Inputs and Outputs 



Inputs 

Outputs 

Power 

ACT channel 28V dc power 


Digital 

Air data (AR INC 429) 

Inertial reference (ARINC 429) 
ACT Maintenance and Display 
Computer (AR INC 429) 
Cross channel (high speed) 

Elevator command (ARINC 429) 
Rudder command (ARINC 429) 
Outboard aileron command 
(ARINC 429) 

ACT Maintenance and Display 
Computer (ARINC 429) 

Cross channel (high speed) 

Analog 

Pitch rate 
Column force 
Wheel position 
Rudder pedal position 
Wing normal acceleration 
Dynamic pressure 
Stabilizer position 
Flap position 
Nonessential servo 
feedback variables 
Analog Essential Computer 
monitoring outputs 
LVDT reference voltage 

Inboard aileron command 
Inboard flaperon command 
Outboard flaperon command 

Voter outputs 

Elevator command 
Rudder command 
Outboard aileron command 

Discrete 

Air-to-ground logic 
Test initiate 
Electric power monitor 
Hydraulic pressure monitor 
Pneumatic pressure monitor 
Stick pusher solenoid valve position 
Stick pusher dump valve position 
Slat position 

Essential servo bypass valve position 

Warning displays 
Self-test 

Stick pusher activate 
Stabilizer drive 
Shutdown nonessential servo- 
commands 

Failure status to swichover logic 


independently of the software. Most important of these is the watchdog monitor. The 
watchdog monitor requires the CPU to reset a timer within a specific time window 
following a reference timer interrupt. Failure to reset the timer results in a fault 
indication. The watchdog monitor thus detects any failures that prevent the computer's 
responding to timer interrupts or executing the software required to reset the timer. This 
would Include any software errors that cause the computer to shut down. An output 
timing monitor is implemented using a similar technique. A timer is reset when the 
output command is updated, and failure to update the command at the proper time results 
in a fault indication. This detects any error that prevents execution of a control law or 
causes the output to be updated at the wrong rate. Protected memory and data access 
monitors provide additional means of detecting errors and failures. 
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5.3.2 SENSORS 

The system shares sensors with the automatic flight control system (AFCS) and display 
functions where appropriate. The Baseline Airplane has many of the sensors required for 
the ACT functions; some special sensors must be added to meet ACT system standards of 
performance and redundancy. Figure 21 shows general locations of the ACT sensors. 
Table ^ lists all required sensors and associates them with the ACT functions that they 
serve. Table 5 is a condensed table of sensor specifications. 

The crucial short-period PAS function has quadruple redundancy to meet the reliability 
requirement. The airplane pitch rate is determined in triplex by the inertial reference 
system (IRS). Addition of a fourth IRS is not economical. Furthermore, the IRS has a 
comparatively high failure rate, which is a severe drawback in a sensor for the crucial 
PAS control law. It is essential to have a small and reliable source of pitch-rate signal for 



Figure 21. ACT Sensor Placement 
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Table 4. Sensors for ACT Systerris 


Sensed \ ACT 

PASshorT 

PASspeed 

Wing-load alleviation 

LAS 

FBW 

AAL 

quantity \ function 

MLC 

GLA 

Vertical acceleration 
at center of gravity 



IRS 3 ® 





Vertical acceleration 
(wing) 




Accelerometer,^ 

(D 




Pitch rate (body) 

IRS.© ^ 
VYRO.b© 






IRS,© 

Yaw rate and roll 
angle (body) 





Inertial reference 
system,® 




3 

•o 

c 


CD 

3 

V* 

O 


Airspeed/Mach 
number 


Digital air data computer, © 


Control column 
force 


Force trans- 
ducer^, © 


LVDT,^© 


V£> 


Rudder pedal 
position 


LVDT,*^© 


Wheel position 
transducers 


LVDT,'’© 


Angle of attack 


DADC,© 


Flaperon servo 
position 


LVDT^© 

(inboard) (outboard) 


Outboard aileron, 
servo position 


LVDT,^© (included 
in secondary actuator) 


C/) 

CD 

3 

o 


Q. 

O' 


O 

7T 


Elevator servo 
position 


LVDT,^ Q) (included in secondary actuator) 


Rudder servo 
position 


Stabilizer servo 
position 


LVDT,°(J) 


LVDT b (3) 
(included in 
secondary 
actuator) 


Circled letters refer to Table 5. 
Censors added for ACT. 


IRS inertial reference system 
DADC digital air data computer 


LVDT linear variable differential transformer 
VYRO pitch-rate sensor (trade name) 



Table 5. Sensor Specifications 



Sensed quantity 

Instrument 

Range 

Sensitivity or accuracy 

Excitation 

© 

Vertical acceleration 
at center of gravity 

Inertial 

reference system (IRS) 

±4g 

±0.01 g 

115V, 400Hz, 
28V dc 

© 

Vertical acceleration (wing) 

Accelerometer^ : eg, 
front spar 

Accelerometer^ : rear spar 

±5g 

±20g 

IV dc/g 
0.25V dc/g 

28V dc 
28V dc 

© 

Pitch rate (body) 

ms 

VYRO® 

±1.22 rad/s 
±1.22 rad/s 

0.0017 rad/s or 1% 
0.012 rad/s or 1% 

115V, 400 Hz, 
28V dc 

12V dc 

0 

Yaw rate (body) 

IRS 

±0.7 rad/s 

0.0017 rad/s or 1% 

115V, 400 Hz, 
28V dc 

© 

Airspeed 

Digital air data computer 
(DADO 

±1024 kn 

±1 to 4 kn, 
depending on speed 

115V, 400 Hz 

© 

Control column force 

Linear variable 
differential transformer 
(LVDT)^ 

±529N 

0.0058 V/N 

26V, 400 Hz 

© 

Angle of attack 

Digital air data computer 

±1.05 rad, electrical i 

±2.1 rad, mechanical 

± 1.5 V/rad 

26V. 400 Hz 

© 

Model channel position 
feedback 

LVDT*^ 

±0.01 9m 

±0.5% 

26V. 400 Hz 

© 

Surface servo position 
feedback 

LVDT^ 

±0.09 1m 

±0,05% 1 

26V, 400 Hz 

© 

Hydraulic pressure 
failure detector 

LVDT*^ 

±0.005m 

±1% 

26V, 400 Hz 


^Sensors added for ACT. 

typical of several; used in various functions. 




the ACT system. The VYRO, a small, long-life, vibrating-beam sensor designed by 
General Electric, is one of the acceptable sensors that can supply the quadruple pitch-rate 
signal. 

The airspeed variables shown in Table ^ are needed for gain variation schedules in several 
control loops. The table also shows the control surface servo LVDTs that are used to 
sense manual control position for FBW, close the servo loops, and monitor failures. 

5.3.3 ACTUATORS 

Table 6 lists the characteristics of the various actuators that serve to control the flight 
control surfaces of the ACT airplane; actuators that are not used by ACT are not 
included. The technology that is the basis for the choice and design of these actuators is 
the same as that for the Selected System (refs 8 and 9). These references discuss 
alternative actuation concepts from which these particular designs were chosen. 

Most of the Demonstration ACT System inputs to the airplane control surfaces are 
accomplished via force-summed secondary actuators. The force-summed actuation 
scheme is illustrated in Figure 22. Each actuation channel contains a two-stage 
electrohydraulic servovalve that converts the input electric signal into hydraulic flow. 
The hydraulic flow displaces the actuator piston against the centering spring. A position 
transducer LVDT is used to close the position loop. A load limiter that limits the pressure 
difference across the actuator piston is used to limit the maximum output force to 1800N 
(400 Ibf). This force is available to prevent minor jams. For normal operation, the force 
output required is about 90N (20 Ibf). For a three-actuator system, a pogo (force detent) 
is also provided to serve as an additional antijam device. The pogo load is set to exceed 
the maximum output force of one actuator but be below the combined maximum output 
force of two actuators. Thus, if one actuator completely jammed, the combined force of 
the other two actuators would collapse the pogo and the system would remain fail- 
operational. Hardware used in this application is a lightweight, off-the-shelf secondary 
actuator with performance proven in other Boeing programs. Two or four redundant 
actuators are used for each ACT function, depending on the redundancy requirements of 
the particular function. The two-actuator system with mathematical model provides fail- 
operational capability. 



Table 6. Demonstration ACT Actuator Characteristics Summary 



Surface actuator 

Secondary actuator 

Type 

Number 

per 

airplane 

Maximum 

output, 

N.m 

Average 

rate, 

deg/s 

Maximum 

deflection, 

deg 

Maximum 

no-load 

rate, 

deg/s 

Open- 

loop 

gain, 

rad/s 

Weight 
estimate, 
kg (lb) 

Type 

Number 

per 

airplane 

Design 

rate, 

deg/s 

Open- 

loop 

gain, 

sec 

Authority, 

deg 

Configuration 

Weight 
estimate, 
kg (lb) 

Outboard 

aileron 

[s> 

4 

2 430 

115 

o o 

150 

40 

- 

G> 

4 



80 

+20 

-30 

Secondary 

actuator 

3.6 (8) 

Inboard 

aileron 


4 

8 120 

35 

±20 

46 

20 

- 

No secondary actuator used 


Outboard 

flaperon 


4 

1 190 

115 

o o 

77 

150 

40 

7.3 (16) 

No secondary actuator used 


Inboard 

flaperon 


4 

3 400 

115 

o o 

77 

150 

40 

7.3 (16) 

No secondary actuator used 


Elevator 


6 

7 344 

40 

+20 

-30 

55 

20 

6.4 (14) 


4 

[!>> 

80 

-20 

+30 

Secondary 

actuator 

3.6 (8) 

Rudder 


4 

20 902 

55 

±25 

76 

20 

- 

G>> 

2 


80 

+4 

-4 

Secondary 

actuator 

3.6(8) 


-p* 

fO 


Surface actuator controls surface; secondary actuator controls surface actuator 
Hydraulic power requirements: 

• Proof pressure: 37 233 kPa; high pressure: 20 700 kPa; low pressure: 

350 to 690 kPa 

• Extreme temperature: -54° to 125°C 

• Operating temperature: -40° to 71°C 

Side-by-side actuator, two for each surface; mechanical Input/mechanical feedback 
(mechanical input furnished by FBW secondary actuators) 

Two side-by-side electrohydraulic actuators 


[B>> Same as b except three for each surface 

Side-by-side force-summed secondary actuators— 
each actuator contains LVDT, bypass filter, and 
centering spring with maximum force of 230N. 
Maximum output force is limited to 1780N. 

Each secondary actuator has maximum rate of 
127 mm/s and 38-mm stroke with linkage and 
mechanism. Stops make authority differences. 
This rate exceeds maximum no-load rate of the 
surface actuators. 
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Figure 22. Force-Summed Actuators 


^ The flaperon actuation system poses a difficult design problem. Although operation will be 

required only when the trailing-edge flaps are fully retracted, flaperon actuation 
installation must accommodate the large flap motion during extension. At least two 
actuators and thus two hydraulic power systems are required for each flaperon to meet 
J the redundancy requirements. Loss of a flap could cause the loss of two hydraulic 

systems. 

The hydromechanical actuation system consists of two actuators and two flaperon lock 
J systems powered by aircraft hydraulic power and electric power. The hydraulic power and 
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ACT electric control signals are supplied to the flaperon as shown in Figure 23. Hydraulic 
power is transmitted to the actuators through hydraulic lines and swivel joints. These 
hydraulic lines and swivel joints are well shielded from the runway and tire debris by the 
flap support fairing. The swivel joints possess the same high degree of reliability as the 
swivel joints that provide flow to the spoiler actuators on the Boeing 727 and 7^7. 



Figure 23. Flaperon Actuation (Hydraulic Power Through Swivel Joints) 


The lock system (fig. 24) provides that in the event of total loss of hydraulic power to the 
flaperon actuators, the flaperons will be returned to neutral and held there so that normal 
trailing-edge flap action is preserved. The lock system works by means of a cam, spring 
loaded toward a centering detent. The spring is compressed for normal flaperon operation 
by a hydraulic piston; on loss of hydraulic pressure the spring is released, driving the cam 
into the detent to carry the flaperon to neutral. 

As shown in Figure 25, two actuators and two hydraulic power systems are required for 
each flaperon to meet its redundancy requirement. A major concern is that a flap loss 
would cause the simultaneous loss of two hydraulic systems. Because of this, the proposed 
design provides power capability from two hydraulic systems, but only one hydraulic 
power system is directly connected to the flaperon actuators. Hydraulic power to the 
actuators is normally supplied by hydraulic system A. Only one set of hydraulic lines is 
brought to the actuators through swivel joints. A hydraulic motor-pump unit is used to 
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connect hydraulic system B to hydraulic system A for power redundancy. In normal 
operation the motor-pump unit is stalled and is therefore inactive. Should hydraulic 
system A fail, the hydraulic motor in system B will automatically provide power to the 
pump in system A. The pump in system A will pressurize the hydraulic fluid in the local 
flaperon area with makeup fluid from the level-sensing reservoir. If a major fluid leakage 
occurs in the local area or if the flaperon is lost, hydraulic systems A and B will remain 
operational. System B will remain operational because it is not directly connected to the 
flaperon. System A will remain operational because the level-sensing reservoir and the 
normally closed shutoff valve will respond to block the path of the fluid flow to the 
flaperon. 



The actuators shown in Figure 25 are force-summed actuators. Each actuator possesses 
the full force and rate capability required to drive the flaperon. 

The remaining special actuator required by the ACT system is the stick pusher for angle- 
of-attack limiting. The AAL system senses an impending stall condition and first provides 


t^5 


J 







r 


Hydraulic 
system A 



c 


f 


c 


c 


c 


c 


Figure 25. Flaperon Hydraulic Actuation System 


the pilot aural and tactile warnings by the stick shaker. If the angle of attack continues 
to increase, the system then applies forward (airplane nose down) torque to the pilot's and 
copilot's control columns by a stick pusher. This is accomplished by employing a dual- 
tandem floating actuator to pull the control column forward when the actuator is 
pressurized. Figure 26 is a block diagram of the system. Four electric channels and two 
pneumatic channels are used to ensure fail-operational capability against either 
inadvertent actuation or failure to actuate when needed. The actuator will provide a 
starting force of 356N (80 Ibf) when pressurized by either one or both sides. As shown in 
Figure 26, the installation linkage is such that the force exerted on the control column is 
continuously reduced as it travels forward. 
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Figure 26. Stick Pusher Actuation Concept 
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5.3.4 SOFTWARE 

The software engineering problem in the large sense was worked in the latter stages of 
the Current Technology ACT Control System Definition phase of the lAAC Project and 
continued thereafter. The work emphasized organization and control of software 
engineering to achieve the goal of very high software reliability or reliability of software- 
controlled processes, especially the avoidance of the "generic software error." Such an 
error could result in simultaneous malfunction of all the computers of a redundant set 
such that they cannot recognize any error by cross-channel comparison. Computer 
software design was not specifically treated in the Demonstration ACT System contract 
element. 

Program memory requirements for the Demonstration ACT System should be similar to 
those of the Integrated System (refs 8 and 9). 

5.4 REDUNDANCY MANAGEMENT 


( 
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Redundancy management for the Demonstration ACT System is similar to that described 
for the Selected System in References 8 and 9. Differences occur in servomonitoring of 
crucial servos, monitoring of the Essential Computers, and the manner in which control is 
switched from the ACT Primary System to the Essential System. 

Servos for crucial functions are driven from servoelectronics in the Essential Computers. 
These computers are analog in the Demonstration ACT System instead of the digital 
computers used in the Selected System. To maintain the servomonitoring function when 
the ACT Primary Computers have failed, the servomonitor must be part of the Essential 
Computers. An analog monitor is therefore used in the Demonstration ACT System. 
Figure 27 is a block diagram of the elevator servomonitor. Monitoring is done by 
comparing the positions of the secondary servo spool valves. Differences between spool 
valve positions are run through a threshold comparator that outputs a logic 1 if the 
threshold is exceeded. To protect against transients, a time threshold is also used. This 
takes the form of an integrator that integrates up when the output of the first comparator 
is 1. When the output of the first comparator is 0, its integrator output voltage is allowed 
to bleed back to 0. Output of the integrator is run into a second threshold comparator 
that is latched to indicate a failure if the threshold is exceeded. By controlling the rate 
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Figure 27. Block Diagram of Elevator Servomonitor (Shown for Channel A) 


















at which integration and bleedoff occur, this algorithm will provide both transient 
protection and oscillatory failure detection. A digital implementation of this same 
algorithm was used in the Selected System. This algorithm was evaluated by simulation in 
which it demonstrated satisfactory performance. Results of this simulation are discussed 
in detail in References 8 and 9. 

The ground rule for a twice-fail-operative system requires that after any two failures, 
including like failures in redundant channels, the system still operates properly. Use of a 
quadruple system with four servos, as in the Demonstration ACT elevator control, 
eliminates the need for mathematical models of the servos to meet the twice-fail- 
operative specification. It also introduces the possibility of the "two-two split" in which 
two channels fail to an identical deflection command and the system does not know which 
is the failed pair. 

The ACT system guards against the two-two split by positively identifying, with the logic 
of Figure 27, the first failed channel and bypassing its servoactuator. Then the second 
failure is readily identified by the same logic. For this circuit to be unable to handle the 
two-two split, the two channel failures would have to be to the same erroneous command 
and would have to occur within the time constant of the antitransient integrator. Because 
that time constant is less than 1 sec, exposure to this simultaneous dual failure is 
negligibly small. 

The elevator has four secondary servos, thus eliminating the need for a mathematical 
model to provide fail-operational/fail-operational performance. The rudder and aileron 
surfaces driven from the Essential Computers have only two servos per surface. A 
mathematical model is needed to determine which servo has failed if a disagreement 
occurs and to provide monitoring when only one servo is operating. Figure 28 is a block 
diagram of this monitor. The spool valve positions are compared as before, but the output 
of the second comparator enables a comparison with the mathematical model rather than 
being fed into a logic network to determine if the local servo has failed. This 
mathematical model is typically a simple gain, or at most a lag filter, and its output is 
compared to the actual spool valve position. If a threshold is exceeded, and the 
comparison output is enabled due to a miscompare between the two servos, the servo is 
shut down. 
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Figure 28- Block Diagram of Servomonitor for Rudder and Aiieron Ser\/os (Shown for Channei A) 
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The Essential Computers in the Selected System were digital and provided their own self- 
test and monitoring. Simple analog computers have replaced the digital Essential 
Computers for the Demonstration ACT System. Because self-test and monitoring 
hardware adds greatly to the complexity of an analog system and it is desirable to keep 
the Essential Computers simple, monitoring of the Essential System has been transferred 
to the digital ACT Primary Computers. This is done by cross-channel comparison of the 
computer outputs. Protection against latent faults depends upon an adequate preflight 
test. Monitoring by the digital computer is strictly advisory; the digital computer cannot 
shut down the analog computer. 

Switching from primary to backup control is performed by switchover logic contained in 
the Essential electronics. This logic determines if switching is required based upon signals 
from the digital computers and from the redline monitors. Discrete signals from each of 
the computers indicate each computer's evaluation of system status based upon cross- 
checks. If at least two of four computers indicate a channel is failed, that channel 
is considered failed. Signals from the failed channel are then disregarded. If three of the 
four channels fail, control is switched over to the backup analog computers. A time delay 
is built into the voter to allow reconfiguration within a time limit. In addition, output of 
internal hardware monitors, such as the watchdog monitor, is run directly to the 
switchover logic to protect against software errors. The redline monitor provides 
additional protection by monitoring airplane performance. A possible strategy might be 
to monitor normal acceleration and PAS outputs. If the normal acceleration exceeds a 
threshold and the PAS commands tend to increase normal acceleration, the redline 
monitor would interpret this as a failure of the digital PAS and initiate a switchover to 
the analog backup. Each channel contains a redline monitor as part of the Essential 
electronics. Two of four redline monitor trips are required to initiate switchover. 

One of the major redundancy management concerns of all digital systems is how to 
protect against software errors. Common software provides a potential single-point 
failure mode— the "generic software error" cited in Subsection 5.2.1. Various means are 
used to protect against this in the Demonstration ACT System. First among these is the 
provision of an independent backup. This means that it is necessary only to detect a 
failure caused by a software error and switch to the backup. This is a much easier task 
than detecting a failure, isolating the failure, and reconfiguring to provide continued 
operation, which would be required if a backup were not available. 
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Failures are detected by the hardware monitors discussed previously. These monitors 
operate independently of the software and thus provide protection against system failures 
3 whether they are caused by hardware faults or software errors. In addition, there are 

independent software checks. Reasonableness tests on the outputs are performed by 
software modules separate from those that compute the outputs. These tests in 
combination make it unlikely that a single software error could result in an erroneous 
3 output that is undetected either by software checks or by a hardware monitor. In the 

unlikely event that an error, or combination of errors, does result in an undetected system 
failure, the watchdog monitor is provided as an additional safeguard. 

3 5.5 RELIABILITY 

5.5.1 PREDICTION OF SYSTEM RELIABILITY 

D The Demonstration ACT System contains a digital ACT Primary System that is virtually 

identical to the Integrated System (refs 8 and 9). An analog backup system has been 
added that consists of means to detect failure of the ACT Primary Computer digital 
servocommands, analog filters to provide crucial commands, and the switchover logic to 
3 bring the analog set into use (fig. 16). 

The analog backup system is strictly for the crucial functions; Essential PAS and FBW. 
Thus all other function reliabilities, diversion probabilities, and dispatch reliabilities will 
3 be the same as those predicted for the Integrated System (refs 8 and 9). Although digital 

system probabilities were computed assuming error-free software, this assumption no 
longer impacts aircraft safety or the X<10~9 per 1-hr flight requirement, as an analog 
backup system is now provided for crucial functions. 

3 

5.5.2 PREDICTION OF ESSENTIAL FUNCTION RELIABILITY 

Predictions of the reliabilities of analog Essential PAS and FBW were made using the 
3 following assumptions; 

• The beneficial contribution of the digital ACT Primary System to achieving a 
probability of failure less than 10-9 per 1-hr flight was ignored. The calculations 
3 assumed the worst case condition (i.e., the ACT Primary System fails immediately on 
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liftoff) and also assumed that the probability predicted is that the system will not 
switch over to the backup mode, or that the Essential PAS and all-axis FBW will not 
function successfully for the 1-hr flight. ^ 

• There are many ways the ACT Primary System computation could fail, and there are 
three detectors by which the failure can be known: the computer self-check, the 

voter computer check, and the redline monitor. Distribution of the various kinds of f 

failures is unknown, and there is overlap in the ability of different detectors to 
detect different kinds of failures. The probability that a failure will not be detected 
is assumed conservatively to be the unreliability of the redline monitor. No credit is 
taken for detection in the digital computer self-test or in the ACT Primary System 
voters because they have software common to all channels, which compromises the 
independence of redundant channels. 

• The four analog backup channels are totally independent of one another up to the C 

mechanical voter, which combines the outputs of the secondary actuators. 

• The failure probability of the mechanical voter is better than 10~9 per 1-hr flight and 

is therefore neglected. ^ 

• An independent fourth hydraulic power source is provided to power the fourth 
secondary actuator, and the unreliabilities of all hydraulic power sources are assumed 

equal to the average of the unreliabilities of the three hydraulic systems used in the C 

Integrated System (refs 8 and 9). 

• Essential PAS, because it operates in the pitch system, is vulnerable to any fault in 

the pitch system. Its failure probability is therefore computed as if all pitch FBW C 

components were part of Essential PAS. 

Figure 29 shows a preliminary layout of the analog Essential Computer. The failure rate 
was predicted by MIL-HDBK-217C piece-part analysis using high-reliability components ^ 

(table 7). A similar piece-part analysis of the servoamplifiers and of a voter, previously 
designed for a similar use, yielded the component reliabilities used in the calculations. 

The channel failure rate was simply the sum of all the failure rates of redline monitors, 
switching, analog computers, switching relays, servoamplifiers, secondary actuators, and ^ 
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Figure 29. Simplified Block Diagram of Analog Essential Computer 






















Table 7. Component Failure Rates 


Component 

Failure rates per million hours 

Source 

Pitch analog computer components 



Operational amplifier 

0.1 per pair 
(in one package) 

MIL-HDBK-217C 

Resistors-film 

0.07 each 

MIL-HDBK-217C 

Capacitors-solid tantalum, electrolytic 

0.00025 each 

MIL-HDBK-217C 

Relay dry circuit— mercury, wetted 

0.0161 each 

MIL-HDBK-217 

Analog computer-pitch channel— total 

1.27 

Summed from components 

Switching logic components 



2-input OR gates, 4 per package 

0.141 per package 

MIL-HDBK-217C 

3-input AND gates, 4 per package 

0.161 per package 

MIL-HDBK-217C 

4-input OR gates, 2 per package 

0.0616 per package 

MIL-HDBK-217C 

J-K flip-flop, 8 gates per package 

0.0265 per package 

MIL-HDBK-217C 

Switching logic— total 

5.1 

Summed from components 

Other analog channel components 



Servoamplifier 

17.6 each 

Boeing calculation 

Secondary actuator 

38.6 each 

Boeing experience with similar items 

Dedicated Q sensor 

10.0 each 

Manufacturer's estimate 

LVDT column sensor 

14.0 each 

Boeing experience 

Average hydraulic system 

28.0 each 

Baseline Aircraft prediction 


hydraulic power systems. The unreliability of the set was then the probability of at least 
three of four channels failing in a 1-hr flight (fig. 30). 


The redline monitor has not been designed in sufficient detail to permit a failure rate 
prediction. Instead, what was calculated was the allowable maximum failure rate that the 
redline monitor could have without making the system unreliability exceed the 10"9 per 
1-hr flight allowable rate. For the most difficult task, Essential PAS, the redline monitor 
failure rate must not exceed 515 failures per million flight hours. The solid-state portion 
of several autopilot analog computers, judged to be comparably complex, demonstrated 
failure rates only half as much as this, allowing the conclusion that the Demonstration 
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Figure 30. Block Diagram of One Channel of Quadruple Backup System 


ACT System Essential PAS meets the less than 10"9 per 1-hr flight failure probability 
when all four channels are operating at dispatch. 

3 

A system reliability objective is essential function failure probability less than 10-9 when 
dispatched with any single LRU inoperative. To show a three-channel Essential System 
failure rate less than 10-9, the single-channel failure rate must be less than 18.2 x 10-6. 
This analysis yields a single-channel failure rate prediction of 115 x 10-6; hence the 
objective has not been achieved, and dispatch requires four Essential channels operating. 
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6.0 CONCLUDING REMARKS AND RECOMMENDATIONS 


The Demonstration ACT System task was a brief intermediate study between the current 
technology system work and the Test ACT System. It was designed to enable progressing 
logically from current technology to the Test ACT System without overlooking any 
important factors in selection of the latter. Notable among those factors are (1) advances 
in technology that must be expected in the 5-year interval between the two designs and 
(2) the probable conflict between long-range objectives of ACT system development and 
the short-range objectives of the immediate test program. 

The Demonstration ACT System objectives were accomplished in the sense of achieving 

(1) a rational airplane specification and matching spectrum of active control functions, 

(2) an ACT control system combining the best features of previous lAAC control system 
designs, and (3) identification of the primary technical problems to be solved in the next 
phase of work. Those steps led to the following conclusions: 

• The ACT airplane and the matching Demonstration ACT System architecture provide 
a usable basis from which the Test ACT System may be derived. 

• Definition of the Test ACT System should proceed. 

• Further work is required on the important technical issues such as the ACT Primary- 
to-Essential computer reversion technique. 
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